Overview
Progress has released a security update for a high-severity, vulnerability (CVE-2024-6576) in the SFTP module of the MOVEit Transfer application. MOVEit is a managed secure file transfer tool. Exploitation of this vulnerability can lead to privilege escalation in MOVEit Transfer. MOVEIt Cloud customers should not be affected, as this has already been patched.
Progress has released a security update that addresses fifteen vulnerabilities in the WhatsUp Gold system. WhatsUp Gold Three of these vulnerabilities have been categorised as critical-severity and involve remote code execution: CVE-2024-6576, CVE-2024-4884 and CVE-2024-4485.
Microsoft published a security update to address vulnerabilities in the following products:
- Microsoft Edge Stable Channel – versions prior to 127.0.2651.86
- Microsoft Edge Extended Stable Channel – versions prior to 126.0.2592.132
Microsoft has reported CVE-2018-0824 is currently being exploited in the wild. This is a remote code execution vulnerability that exists in ‘Microsoft COM for Windows’ when it fails to properly handle serialised objects.
An attacker who successfully exploited the vulnerability could use a specially crafted file or script to perform actions. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or make use of a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability.
Apache Ofbiz has been reported as being affected by a path traversal vulnerability: improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.13. Users are recommended to upgrade to version 18.12.13, which fixes the issue.
Roundcube webmail is affected by two cross-site scripting vulnerabilities (CVE-2024-42009 and CVE-2024-42008) that could allow an attacker to steal emails, contacts and send emails from a victim’s account. A third vulnerability, CVE-2024-42010 could allow access to sensitive information.
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
Progress – MOVEIt Transfer (Security Alert Bulletin)
WhatsUp Gold (Security Bulletin)
Microsoft – Microsoft Edge Security Update
Advisories (CVE-2018-0824)
Apache – Apache Ofbiz
Roundcube – Security Updates
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.